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DETAILED ACTION 

1 . This action is response to communication: response to arguments received 
07/14/2008. 

2. Claims 1-30 are current pending in this application. 

3. No new IDS has been received for this application. 

Response to Arguments 

4. Applicant's arguments filed on 07/14/2008 have been fully considered but they 
are not persuasive. 

As per claims 7, 9, 17, 19, 27, and 29, the applicants argue that the references 
do not teach copying the data packets, not switching to a second mode where the data 
packets are not copied. However, this was taught in the references, as shown in the 
prior Office Action. Ramsey teaches such limitations throughout the reference, such as 
in (col. 12 lines 43-56; col. 13 lines 4-18; col. 15 lines 1-20; col. 16 lines 8-16; col. 18 
line 17 to col. 19 line 34). 

As per claims 1 , 22, and 21 , the applicants argue that the references do not 
teach statistical results of abnormal events because a signature is not related to a 
statistical result. However, as already stated in the previous Office action, virus 
signatures and intrusion detection signatures are statistical results of observed 
abnormal events recorded by the monitors which are defined by rules in the firewall, and 
anti-virus module and IDS and the virus monitor generates a report that is assessed by 
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and IDS in order to determine whether to drop, reject, deny, etc. the packet. Therefore, 
Ramsey teaches such limitations. 

As per claims 1,11, and 21 , the applicants also argue that Douglas does not 
teach a self registration module. However, Douglas does teach such self registration, 
such as in col. 3 liens 28-49, and col. 4 lines 61-68. 

Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

6. Claims 1-6, 8, 10-16, 18, 20-26, 28 and 30 are rejected under 35 USC 103(a) as 
unpatentable over Ramsey et al. (U.S. Patent No. 7,331,061), hereafter "Ramsey", in 
view of Douglas et al. (US Pat. No. 6269400), hereafter "Douglas" and further in view of 
Cass ("Anatomy of Malice", Spectrum IEEE, Nov. 2001 , vol. 35, issue 1 1 , pages: 56- 
60), hereafter "Cass". 

As per claim 1 , Ramsey teaches a network virus defense system comprising: A 
network virus/worm sensor (Fig. 2, item 250) operable in a number of modes arranged 
to detect a computer virus or a computer worm in the network such that the bandwidth 
of the network is substantially unaffected in a first mode in that data packets are not 
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removed from or added to the data stream, but are copied, and wherein when the virus 
sensor detects the computer virus, the virus sensor switches to a second mode, 
wherein the data packets are not copied and wherein a subset of data packets 
determined to be infected or suspected of being infected are not returned to the 
network, (12:43-56, denies packets, detects and removes viruses, 16:8-16, shows no 
packets are removed or added, 18:17-19:34, packets are copied to the anti-virus 
module, and aren't copied to the secure network when found to be infected); 
A controller that is updated with new detection rules, storing a rules engine used to 
store and source a plurality of detection rules for detecting computer viruses and worms 
using statistical results of observed abnormal events as recorded and monitored by a 
virus monitor; the abnormal events defined in policies and the plurality of detection rules 
in the virus monitor; and wherein the virus monitor generates an abnormal behavior 
report which is evaluated by a server which determines an action to perform (12:43-56, 
16:8-16, shows no packets are removed or added, 18:17-19:34, virus signatures and 
intrusion detection signatures are statistical results of observed abnormal events 
recorded by the monitors which are defined by rules in the firewall, anti-virus module 
and IDS and the virus monitor generates a report that is assessed by and IDS in order 
to determine whether to drop, reject, deny, etc. the packet). 

Ramsey does not disclose a network virus sensor self registration module 
coupled to the network virus/worm sensor arranged to automatically self register the 
associated network virus/worm sensor. Douglas, on the other hand, discloses a network 
virus sensor self registration module coupled to the network virus/worm sensor (col. 3, 
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lines 28-31, HTTP server reads on self registration module) arranged to automatically 
self register the associated network virus/worm sensor (col. 4, lines 65-68). 

It would have been obvious to one of the ordinary skill in the art at the time of the 
applicant's invention was made to modify Ramsey by the methods of self registration 
coupled to the network virus/worm sensor automatically self register the associated 
network virus/worm sensor as taught by Douglas, and would be motivated to conduct 
automatically discovery and registration of available agents on a distributed network 
because it requires low CPU utilization and requires minimal programming of the agents 
(Douglas, col. 2, lines 38-39). 

Neither Ramsey nor Douglas discloses an anti-virus agent creation module that 
creates a detection module, infection module and payload. However, Cass discloses 
creating a detection module, an infection module and a payload (Section "Source of 
Mischief page 59). 

It would have been obvious for one of the skill in the art to modify the teachings 
of Ramsey and Douglas to include the creation of a detection module, an infection 
module and a payload as taught by Cass, and would be motivated to provide an 
effective defense by understanding the cause and mechanism of infection (Cass, page 
56, paragraph 5, lines 1-3). 

With regard to claims 1 1 and 21 , limitations of the instant claims have been 
discussed in claim 1 above with the exception of the following limitation. 
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Neither Ramsey nor Douglas discloses creating a detection module that detects 
whether a client device is infected with a virus and triggers the introduction of an anti- 
virus infection module so that the virus in the client device is overwritten and an anti- 
virus payload created based on features of the selected computer virus and perform as 
cleaning/repairing payload capable of cleaning and repairing damage done to the client 
device. 

Cass, on the other hand, discloses a detection module for detecting whether a 
client device is presently infected with a virus, triggers the introduction of an anti-virus 
infection module so that the virus in a client device is overwritten, wherein an anti-virus 
agent payload, created based on features of the selected computer virus, performs as a 
cleaning/repairing payload capable of cleaning and repairing damage done to the client 
device, the payload also capable of inoculating the client device against the virus in 
cases where the client device was not infected by the computer virus ("Source of 
Mischief section, page 59). 

It would have been obvious for one of the skill in the art to modify the teachings 
of Ramsey and Douglas to include creating a detection module that detects whether a 
client device is infected with a virus and triggers the introduction of an anti-virus 
infection module so that the virus in the client device is overwritten and an anti-virus 
payload created based on features of the selected computer virus and perform as 
cleaning/repairing payload capable of cleaning and repairing damage done to the client 
device as taught by Cass, and would be motivated to provide an effective defense by 
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understanding the cause and mechanism of infection (Cass, page 56, paragraph 5, 
lines 1-3). 

With regard to claims 2, 12, and 22, Douglas further discloses the network 
virus/worm self registration module collects selected network environmental information 
and network configuration information (col. 4, lines 61-64, host name and operating 
system indicate network environmental and configuration information). 

It would have been obvious to one of the ordinary skill in the art at the time of the 
applicant's invention was made to modify the teachings of Ramsey and Cass to include 
self registration coupled to the network virus/worm sensor automatically self register the 
associated network virus/worm sensor as taught by Douglas and would be motivated to 
conduct automatically discovery and registration of available agents on a distributed 
network (Douglas, col. 2, lines 38-39). 

With regard to claims 3, 13 and 23, Douglas further discloses the selected 
network environmental information includes an IP address for all of the relevant client 
devices included in the IP-based network (col. 3, lines 61-64). It would have been 
obvious to one of the ordinary skill in the art at the time of the applicant's invention was 
made to modify the teachings of Ramsey and Cass by including an IP address for all 
the relevant client devices included in the network, as taught by Douglas, and would be 
motivated to conduct automatically discovery and registration of available agents on a 
distributed network (Douglas, col. 2, lines 38-39). 

With regard to claims 4, 14 and 24, Douglas further discloses the network 
configuration information includes self configuration information related to an 
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appropriate IP address for the network virus/worm sensor (col. 4, lines 61-64, host 
name indicates self configuration). 

It would have been obvious to one of the ordinary skill in the art at the time of the 
applicant's invention was made to modify the teachings of Ramsey and Cass to include 
the network configuration information includes self configuration information related to 
an appropriate IP address for the network virus/worm sensor, as taught by Douglas, and 
would be motivated to conduct automatically discovery and registration of available 
agents on a distributed network (Douglas, col. 2, lines 38-39). 

With regard to claims 5, 15 and 25, Douglas further discloses the network 
configuration information includes locations of all relevant server computers (col. 3, lines 
60-62, list of IP addresses indicates locations of all relevant server computers). 
It would have been obvious to one of the ordinary skill in the art at the time of the 
applicant's invention was made to modify the teachings of Ramsey and Cass to include 
the network configuration information includes locations of all relevant server 
computers, as taught by Douglas, and would be motivated to conduct automatically 
discovery and registration of available agents on a distributed network (Douglas, col. 2, 
lines 38-39). 

7. Claims 7, 9, 17, 19, 27 and 29 are rejected under 35 USC 103(a) as 
unpatentable over Ramsey in view of Douglas in view of Cass as applied to claims 1,11 
and 21 above and further in view of White et al. ("Anatomy of a Commercial-Grade 
Immune System, IBM Research White Paper, 1999, http 
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:llwww .research .ibm.comlantiviruslSciPaperslWhitelAnatomylAnatomy.PDF), hereafter 
"White. 

With regard to claims 7, 17 and 27, neither Ramsey, Douglas, nor Cass discloses 
an outbreak prevention policy (OPP) distribution and execution engine that provides a 
set of anti- virus policies, protocols, and procedures suitable for use by a system 
administrator for both preventing viral outbreaks and repairing any subsequent damage 
caused by a viral outbreak. 

White, on the other hand, discloses an outbreak prevention policy (OPP) 
distribution and execution engine (Fig. 3, page 14, Supervisor, Gateways, and admin 
system indicates OPP distribution and execution engine) that provides a set of anti-virus 
policies (page 13, Cure Distribution section, second paragraph, lines 5-8, install the 
updated virus definition indicates antivirus policies), protocols (page 20, Classification 
section, first paragraph), and procedures (page 14, second paragraph, lines 4-12) 
suitable for use by a system administrator for both preventing viral outbreaks and 
repairing any subsequent damage caused by a viral outbreak (page 13, Cure 
distribution section, first paragraph and second paragraph lines 5-7). 

It would have been obvious to one of the ordinary skill in the art at the time of the 
applicant's invention was made to modify the teachings of Ramsey, Douglas, and Cass 
to include an outbreak prevention policy (OPP) distribution and execution engine that 
provides a set of anti- virus policies, protocols, and procedures suitable for use by a 
system administrator for both preventing viral outbreaks and repairing any subsequent 
damage caused by a viral outbreak, as taught by White and would be motivated to 
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provide an immune system that can find, analyzed, and cure previously unknown 
viruses faster than the viruses themselves can spread (White, page 2, first paragraph, 
lines 1-2). 

With regard to claims 9, 19 and 29, neither Ramsey, Douglas nor Cass discloses 
each of the outbreak prevention policy distribution and execution engines are updated 
with a set of anti- virus policies, a set of anti-virus protocols, and a set of anti-virus 
procedures. White, on the other hand, discloses each of the outbreak prevention policy 
distribution and execution engines (Fig. 3, page 14, Supervisor, Gateways, and admin 
system indicates OPP distribution and execution engine) are updated with set of anti- 
virus policies (page 13, Cure Distribution section, second paragraph, lines 5-8, install 
the updated virus definition indicates antivirus policies), protocols (page 20, 
Classification section, first paragraph), and procedures (page 14, second paragraph, 
lines 4-12). 

It would have been obvious to one of the ordinary skill in the art at the time of the 
applicant's invention was made to modify the teachings of Ramsey, Douglas, and Cass 
to include each of the outbreak prevention policy distribution and execution engines are 
updated with a set of anti-virus policies, a set of anti-virus protocols, and a set of anti- 
virus procedures, as taught by White and would be motivated to provide an immune 
system that can find, analyzed, and cure previously unknown viruses faster than the 
viruses themselves can spread (White, page 2, first paragraph, lines 1-2). 
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Conclusion 

8. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

9. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Jason K. Gee whose telephone number is (571 ) 272- 
6431 . The examiner can normally be reached on M-F, 7:00 am to 4:30 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571 ) 272-381 1 . The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 

Jason Gee 
Patent Examiner 
Technology Center 2100 
09/30/2008 
/Kambiz Zand/ 
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